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Abstract. Wc propose a general methodology for testing whether a given polynomial with 
integer coefficients is identically zero. The methodology evaluates the polynomial at efficiently com- 
putable approximations of suitable irrational points. In contrast to the classical technique of DcMillo, 
Lipton, Schwartz, and Zippel, this methodology can decrease the error probability by increasing the 
precision of the approximations instead of using more random bits. Consequently, randomized algo- 
rithms that use the classical technique can generally be improved using the new methodology. To 
' demonstrate the methodology, we discuss two nontrivial applications. The first is to decide whether a 

' graph has a perfect matching in parallel. Our new NC algorithm uses fewer random bits while doing 

less work than the previously best NC algorithm by Chari, Rohatgi, and Srinivasan. The second 
application is to test the equality of two multisets of integers. Our new algorithm improves upon 
the previously best algorithms by Blum and Kannan and can speed up their checking algorithm for 
■ sorting programs on a large range of inputs. 

Key words. Polynomial identification, Galois theory, randomized algorithms, parallel algo- 
rithms, program checking, perfect matchings, multiset equality test 
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1. Introduction. Many algorithms involve checking whether certain polynomi- 
q \ als with integer coefficients are identically zero. Often times, these polynomials have 

exponential-sized standard representations while having succinct nonstandard repre- 
sentations |],|l7],[ll| [22|. This paper focuses on testing such polynomials with integer 



J> ■ coefficients 



Given a polynomial Q(x\, . . . , x q ) in a succinct form, a naive method to test it is 
to transform it into the standard simplified form and then test whether its coefficients 
are all zero. Since Q may have exponentially many monomials, this method may 
take exponential time. Let cLq be the degree of Q. DeMillo and Lipton ||, Schwartz 
[fLsf and Zippel |^2| proposed an advanced method, which we call the DLSZ method. 
ON ' It evaluates Q(ii, . ■ . , iq), where i\, . . . , i q are uniformly and independently chosen 

*"^5 . a t random from a set S of 2oIq integers. This method uses q\\og(2d,Q)~\ random 

bits and has an error probability at most h. (Every log in this paper is to base 
2.) There are three general techniques that use additional random bits to lower 
the error probability to 4 for any integer t > 2. These techniques have their own 
advantages and disadvantages in terms of the running time and the number of random 



5— i 

bits used. The first performs [logi] independent evaluations of Q at [log(2dg)]-bit 
integers, using g[log(2d<g)] [logf] random bits. The second enlarges the cardinality 
of S from 2oIq to td,Q and performs one evaluation of Q at [log(fdg)]-bit integers, 
using q [log dq + logf] random bits. The third is probability amplification Jig] , A 
basic such technique works for t < 2 <z r i °s( 2d o)l by performing t pairwise independent 
evaluations of Q at [log(2dq)]-bit integers, using 2q[log(2dg)] random bits. Stronger 
amplification can be obtained by means of random walks on expanders 0, [s], ^] . 
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In §||, we propose a new general methodology for testing Q(x\, . . . , x q ). Our 
methodology computes Q(ni, . . . ,7t q ), where %x, . . ., ~K q are suitable irrational numbers 
such that Q{tt\, ■ ■ ■ , 7r g ) = if and only if Q(x\, . . . , x q ) = 0. Since rational arithmetic 
is used in actual computers, we replace each iTi with a rational approximation Tt[. A 
crucial question is how many bits each needs to ensure that Q(ir'i, ... ,n' q ) = 
if and only if Q{x\, . . . , x q ) = 0. We give an explicit answer to this question, from 
which we obtain a new randomized algorithm for testing Q. Our algorithm runs in 
polynomial time and uses J^^il^sidi + 1)1 random bits, where di is the degree of 
Xi in Q. Moreover, the error probability can be made inverse polynomially small by 
increasing the bit length of each 7r^. Thus, our methodology has two main advantages 
over previous techniques: 

• It uses fewer random bits if some di is less than cZq. 

• It can reduce the error probability without using one additional random bit. 
In general, randomized algorithms that use the classical DLSZ method can be im- 
proved using the new methodology. To demonstrate the methodology, we discuss two 
nontrivial applications. In §|3|, the first application is to decide whether a given graph 
has a perfect matching. This problem has deterministic polynomial-time sequential 
algorithms but is not known to have a deterministic NC algorithm j?], [l3], ^lj . We 
focus on solving it in parallel using as few random bits as possible. Our new NC 
algorithm uses fewer random bits while doing less work than the previously best NC 
algorithm by Chari, Rohatgi, and Srinivasan Q. In the second application is to 
test the equality of two given multisets of integers. This problem was initiated by 
Blum and Kannan (3) for checking the correctness of sorting programs. Our new 
algorithm improves upon the previously best algorithms developed by them and can 
speed up their checking algorithm for sorting programs on a large range of inputs. 

2. A new general methodology for testing polynomials. The following 
notation is used throughout this paper. 

• Let Q{x\, . . . ,x q ) be a polynomial with integer coefficients; we wish to test 
whether Q(xi, . . . , x q ) = 0. 

• For each Xi, let di be an upper bound on the degree of Xi in Q. Let ki = 
[log^ + l)]. 

• Let k — max| =1 ki and K = X)l=i K \s the number of random bits used 



by the methodology as shown in Theorem 2.3. 

• Let d be an integer upper bound on the degree of Q; without loss of generality, 
we assume d > max| =1 dj. 

• Let c be an upper bound on the absolute value of a monomial's coefficient in 
Q. 

• Let Z be an upper bound on the number of monomials in Q; without loss of 
generality, we assume Z < Yli=o I 1 - 

• Let i[> = log c + log Z + d(\og k + log 2 K + log In K ) . Let I be an integer at least 
ip + 1 + log d; £ determines the precision of our approximation to the irrational 
numbers chosen for the variables Xi. 

For example, if all di — 1, then ki = 1, K = q, and our goal is to use exactly q random 
bits, i.e., one bit per variable Xi. 

Lemma 2.1. Letpi t i,...,pi j k 1 ,---,P q ,i,---,P q ,k q be K distinct primes. For each 

ki 



Pij, let bij be a bit. For each Xi, let Tii = l) 6i,J \/Pi~j- Then Q(x\, . . . , x q ) 
^ if and only if Q(tti, . . . , 7r ? ) =/= 0. 

Proof. This lemma follows from Galois theory in algebra jl4|]. Let Aq = Bq 
be the field of rational numbers. For each Xj, let Kj = ^2l =1 ki. Let Aj be the 
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field generated by 7Ti,7T2, • • • , 7Tj over A . Also, let B,j be the field generated by 
Pi i, . . . ,Pi ki> ■ ■ ■ jPjii ■ ■ ■ iPj,k over B . By induction, Aj = Bj, the dimension of 
Aj over Aq is 2 Kj , and the dimension of Aj over A,_i is 2 kj . Thus, ttj is not a root 
of any nonzero single variate polynomial over Aj-i that has a degree less than 2 kj . 
Since dj < 2 kj , by induction, <5(7Ti, . . . ,irj,Xj+i, . . . ,x q ) ^ 0. The lemma is proved 
at j = q. D 



In light of Lemma 2.1, the next algorithm tests Q(x\, . . . ,x q ) by approximating 
the irrational numbers ^/Pij and randomizing the bits bij. 
Algorithm 1. 

1. Compute q, d\, . . . , d q , k±, . . . , k q , K, d, c, Z. 

2. Choose Px,x, ■ ■ ■ ,Pi,fe i; ■ ■ • ,Pq,i, ■ ■ ■ ,Pq,k q to be the K smallest primes. 

3. Choose each bij independently with equal probability for and 1. 

4. Pick £, which determines the precision of our approximation to s/pij- 

5. For each Pij, compute a rational number r-jj from ^/Pij by cutting off the 
bits after the ^-th bit after the decimal point. 

6. Compute A = Q^% x {-l)^r^, . . • ,£ ■l 1 (-l) b "> 9J ). 

7. Output ...,x q )^ 0" if and only if A f 0. 

The next lemma shows how to choose an appropriate I at Step || of Algorithm |l|. 

Lemma 2.2. If Q{x\, . . . , x q ) =t 0, then |A| > 2~ £ with probability at least 1 — 

t 



f-l-logd' 

Proof. For each combination of the bits 6,-j, Q(ttx, . . . , n q ) is called a conjugate. 
By the Prime Number Theorem pj , y/pij < \f~K\x\K and thus |-7T£ j < ky/K In K. 
Then, since Q has at most Z monomials, each conjugate's absolute value is at most 
2^ = cZ(k^fK\nK) d . Let f = I - ip - 1 - logd. Let a be the number of the 
conjugates that are less than 2~ l . Let (3 = 2 K — a be the number of the other 
conjugates. Let II be the product of all the conjugates. By Lemma 2.1, LT ^ 0, 
and by algebra n is an integer. Thus, | H j > 1 and a(— £') + pip > 0- Hence, 
2^ > TPpj) j i- e ' | <9 (tti , ■ ■ ■ >7Tg))| > with the desired probability. We next show 
that if |Q(7ri,...,ir,)| > then |A| > 2~<. Since r itj > Jpij-^r 1 , Y%Li n,j > 



\iri\ — k2~ e . So approximating pij reduces each monomial term's absolute value 
in Q(tti, . . . ,7T g ) by at most c(k\/E\n K) d - 1 dk2~ e . Thus, |A| > \Q(wi, . . . , % q )\ - 
cZ(ky/R In K) d 2- e+1 °z d > |Q(vri,...,7r 9 )| -2- / - 1 > 2~ l . □ 

Theorem 2.3. For a given t > I, set I > tip + 1 + logd. If Q(x%, . . . ,x m ) = 0, 
Algorithm ^| always outputs the correct answer; otherwise, it outputs the correct answer 
with probability at least 1— j. Moreover, it uses exactly K random bits, and its error 
probability can be decreased by increasing t without using one additional random bit. 

Proof. This theorem follows from Lemma 2.2 immediately. □ 

Let | \ Q\ | be the size of the input representation of Q. The next lemma supplements 
Theorem 2J3 by discussing sufficient conditions for Algorithm [j] to be efficient. 

Lemma 2.4. With Z — X^=i 9% Algorithm^ takes polynomial time in \\Q\\ and 
t under the following conditions: 

• The parameters q,d\, . . . ,d q ,d are at most (t\ \Q\ |)°^ and are computable in 
time polynomial in t\\Q\\. 

• The parameter c is at most 2°(*" ( 2") and is computable in time polynomial in 

t\\Q\l 

• Given I' -bit numbers p\, Q(p[, . . . ,p' q ) is computable in time polynomial in 
t\\Q\\ and £'. 
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Proof. The proof is straightforward based on the following key facts. There are 
at most (t\ \Q\ l) ^ 1 ' primes Pij, which can be efficiently found via the Prime Number 
Theorem. Each nj has at most (t\ \Q\ \)°^ bits and can be efficiently computed by, 
say, Newton's method. □ 

We can scale up the rationals n t j to integers and then compute A modulo a 
reasonably small random integer. As shown in later sections, this may considerably 
improve the efficiency of Algorithm |l| by means of the next fact. 

Fact 1 (Thrash Q). Let h> 3 be an integer. If H is a subset of {1, 2, . . . , h 2 } 
with \H\ > then the least common multiple of the elements in H exceeds 2 h . 
Thus, for a given positive integer h' < 2 h , a random integer from {1, 2, . . . , h 2 } does 
not divide h' with probability at least ^. 

3. Application to perfect matching test. Let G = (V,E) be a graph with n 
vertices and m edges. Let V = {1, 2, . . . , n}. Without loss of generality, we assume 
that n is even and m > ^. A perfect matching of G is a set L of edges in G such that 
no two edges in L have a common endpoint and every vertex of G is incident to an 
edge in L. 

Given G, we wish to decide whether it has a perfect matching. This problem is 
not known to have a deterministic NC algorithm. The algorithm of Chari , Rohatgi, 
and Srinivasan Q] uses the fewest random bits among the previous NC algorithms. 
This paper gives a new algorithm that uses fewer random bits while doing less work. 



For ease of discussion, a detailed comparison is made right after Theorem 3.2 



3.1. Classical ideas. The Tutte matrix of G is the nxn skew-symmetric matrix 
M of m distinct indeterminates yif 

!Vi,3 if {h j} € E and i < j, 
-Uj,i if € E and i > j, 
otherwise. 

Let L = {{ii, ji}, ■ ■ ■ , Jf}} De a perfect matching of G where i\ < < 
j 2 ,...,i& < j& and i x < i 2 < ■ ■ ■ < i% . Let ir(L) = yi ujl yi 2 .j 2 ■ ■ ■ Din., jo.- Let 
er(L) = 1 or —1 if the following permutation is even or odd, respectively: 

1 2 ••• n-1 n 

h ji ■■■ if 

Let Pf(G) = J2l 7r (^) cr (^)i where L ranges over all perfect matchings in G. 
Fact 2 (Fisher and Kasteleyn f|, Tutte @). 

• detM = (Pf(G)) 2 . 

• G has a perfect matching if and only if detM ^ 0. 

Combining Fact || and the DLSZ method, Lovasz jjJI gave a randomized NC 
algorithm for the matching problem. Since the degree of det M is at most n, this 
algorithm assigns to each Xij a random integer from {1,2,..., 2n} uniformly and 
independently and outputs "G has a perfect matching" if and only if det M is nonzero 
at the chosen integers. Its error probability is at most ^, using m|~log(2n)] random 
bits. The time and processor complexities are dominated by those of computing the 
determinant of an n x n matrix with 0(logn)-bit integer entries. 

3.2. A new randomized NC algorithm. A direct application of Theorem |2.3| 
to detM uses 0{m) random bits, but our goal is 0(n + log m/n) bits. Therefore, we 
need to reduce the number of variables in det M. 
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• Let G' be the acyclic digraph obtained from G by orienting each edge {i,j} 
into the arc (min{i, j}, max{i, j}). 

• For each vertex i in G", let rii be the number of outgoing arcs from i. 

• Let hi = if n, = 0; otherwise, hi = [log ni\ . 

• Let q = Y17=i Note that q < n + n log ^. 

• Let xi, X2, . . ., x q be g distinct new indeterminates. 

We label the outgoing arcs of each vertex as follows. If n\ = 0, then ver- 
tex 1 has no outgoing arc in G". If rii = 1, then label its unique outgoing arc 
with 1. If n\ > 2, then label its n\ outgoing arcs each with a distinct mono- 
mial in {(xi) ai (x2)° 2 • • • (xjj 1 ) afl i | each at is or 1}, which is always possible since 
2" 1 > n\. We label the outgoing arcs of vertex 2 in the same manner using 
+n 2 ■ We similarly process the other vertices i, each using the 
next hi available indeterminates x^. 

Let fij be the label of arc (i,j) in G' . Let Q{x\, . . . ,x q ) be the polynomial 
obtained from Pf(G) by replacing each indeterminate yi j with fi .j. 

Lemma 3.1. G /ias a perfect matching if and only if Q{x\, . . . , x q ) ^ 0. 

Proof. For each L as described in §3.1, let Ql — o-(L)fi 1 j 1 fi 2 j 2 ■ ■ ■ /»„ j„ . Then, 
Q = J^l Ql, where L ranges over all the perfect matchings of G. It suffices to prove 
that for distinct perfect matchings L\ and L2, the monomials Ql x and Ql 2 differ by 
at least one Xh- Let H be the subgraph of G induced by (L\ U L2) — {L\ n L^). H is 
a set of vertex-disjoint cycles. Since L\ ^ L2, H contains at least one cycle C. Let 
G' be the acyclic digraph obtained from G by replacing each edge {i, j} with the arc 
(min{i, j}, max{«, j}). G' contains two outgoing arcs and (1,^2) of some vertex 

i. So there is an indeterminate Xh used in arc labels for vertex i, whose degree is 1 in 
one of fij 1 and /j„- 2 but is in the other. Hence, the degree of Xh is 1 in one of Qli 
and Ql 2 but is in the other, which makes Qli and Ql 2 distinct as desired. □ 

To test whether G has a perfect matching, we use Algorithm [j] to test Q by means 
of Theorem |2.3| and Lemma 3.1. Below we detail each step of Algorithm [j]. 

Step |l|. Compute q. Then set di = 0J2 = • • • = d q = 1, fei = k% = •• • = k q = 1, 
K = q, d = q, c = 1. Further set Z = (^p)™ since the number of perfect matchings 
in G is at most n" =1 mi < (— ) n , where nii is the degree of node i in G. 

Step ^ This step computes the q smallest primes pi,i, P2,i, ■ ■ ■ , P<j : i, each at 
most gin q. Since a positive integer p is prime if and only if it is indivisible by any 
integer i with 2 < i < ^/p, these primes can be found in O(logg) parallel arithmetic 
steps on integers of at most |~log(l + gin 2 q)~\ bits using 0(q 15 log 3 q) processors. 

Step 3. This step is straightforward. 

Step I. Set I = \tip] + |Y| + 1, where -0 = nlog^f + q\og(^/qlnq). 

Step 5. We use Newton's method to compute r iyi from p^i. For the convenience 
of the reader, we briefly sketch the method here. We use go — pi : \ as the initial 
estimate. After the j-th estimate gj is obtained, we compute gj+\ — \{gj + ^")> 
maintaining only the bits of gj + i before the (£ + l)-th bit after the decimal point. 
Thus, gj + i < + — ). With obtained, we check whether g 2 +1 > p itl . If not, 
we stop; otherwise, we proceed to compute gj+2- Since the convergence order of the 
method is 2, we take the |~log(|~logp ii:L ] + £)]-th estimate as r,*^. So r^ .1, ■ ■ ■ , r q x can 
be computed in O (\og(i + logg)) parallel arithmetic steps with q processors. Note 
that each gj has at most |~log(l -I- gin 2 g)] + £ bits. 

Step ||. Evaluating A is equivalent to computing A 2 . A 2 is the determinant of 
an n x n skew-symmetric matrix M' whose nonzero entries above the main diagonal 
in the i-th row are either 1 or products of at most hi rationals among rx,i, . . . 
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Thus, each matrix entry has at most [logn] (|~log(l + gln 2 g)] + I ) bits. Setting up 
M' takes O(logn) arithemetic steps on 0(n 2 ) processors. 

Step 0. This step is straightforward. 

The next theorem summarizes the above discussion. 

Theorem 3.2. For any given t > 1, whether G has a perfect matching can be 
determined in Oi\og{nt)) parallel arithmetic steps on rationals of 0(tn log 3 n) bits 
using 0{n 2 ) processors together with one evaluation of the determinant of an n x n 
matrix of Oitnlog 3 n)-bit rational entries. The error probability is at most j, using 
q < n + n log ^ random bits. 

Remark. The best known NC algorithm for computing the determinant of an 
n x n matrix takes 0(log 2 n) parallel arithmetic steps using 0(n 2376 ) processors | fl6| . 

Proof. We separate the total complexity of Algorithm |l| into that for computing 
det M' and that for all the other computation. For the latter, the running time is 
dominated by that of Step ||; the bit length by that of the entries in M' at Step ^; 
and the processor count by that of setting up M'. □ 

The work of Chari , Rohatgi, and Srinivasan Q aims to use few random bits 
when the number of perfect matchings is small. Indeed, their algorithm uses the 
fewest random bits among the previous NC algorithms. For an error probability at 
most |, it uses min{28 [logdi] , 6m + 4J^™ =1 [logd,]} + O(logn) random bits, 
where di is the degree of vertex i in G. It also computes the determinant of an n x n 
matrix with 0(n 7 )-bit entries. In contrast, with t = 2 in Theorem [T^, Algorithm |l| 
has an error probability at most i while using fewer random bits, i.e., q < n + n log — 
bits. Moreover, using the best known NC algorithm for determinants, the work of 
Algorithm |l| is dominated by that of computing the determinant of an n x n matrix 
with entries of shorter length, i.e, 0(nlog 3 n) bits. 

The next theorem modifies the above implementation of Algorithm |l] by means 
of Fact [l] so that it computes the determinants of matrices with only 0(log(ni))-bit 
integer entries but uses slightly more random bits. 

Theorem 3.3. For any given t > 2, whether G has a perfect matching can 
be determined in 0(log(nt)) parallel arithmetic steps on rationals of 0(tn log 3 n) bits 
using 0(n 2 ) processors together with [logt] evaluations of the determinant of an nxn 
matrix of 0(\og{nt))-bit integer entries. The error probability is at most |, using 
q + 0(log t log(rzi)) random bits, which is at most n + nlog— + 0(logi log(ra')). 

Proof. We modify Steps || and [?] of the above implementation as follows. 

Step | 

• Compute M 1 as above. 

• For each (z, j)-th entry of M', we multiply it with 2^ ni+n ^ e in O(l) parallel 
arithmetic steps using 0{n 2 ) processors. Let M" be the resulting matrix; 
note that det M " = 2 2ql det M' and each entry of M" is an integer of at most 
3[logn](^+ [logn]) bits. 

• Let A = [log*]. Let u = n !.2 3 «n°gnK^+riognl). notc that |detM"| < u. We 
uniformly and independently choose A random positive integers w < [log u\ 2 
using 0(X\og(nt)) random bits in O(A) steps on a single processor. For each 
chosen w, we first compute M'" = M" mod it; in 0(1) parallel arithmetic 
steps using 0(n 2 ) processors; and then compute detM'" instead of det M'. 

Step 0. Output "G has a perfect matching" if and only if some det M'" is nonzero. 

By Fact 0, if det M" ^= 0, then some chosen w does not divide det M" with 
probability at least 1 — 2~ A . Thus, the overall error probability is at most j + 2~ A < |. 
We separate the total complexity of Algorithm |l| into that for computing det M'" and 



REDUCING RANDOMNESS VIA IRRATIONAL NUMBERS 



7 



that for all the other computation. As with Theorem 3.2, the running time of the 
latter remains dominated by that of Step [f| the bit length by that of the entries in 
M' at Step [| and the processor count by that of setting up M'. □ 

4. Application to multiset equality test. Let A = {ai, . . . ,a n } and B = 
{bi, . . . , b n } be two multisets of positive integers. Let a be the largest possible value 
for any element of AUB. Given A, B, and a as input, the multiset equality test problem 
is that of deciding whether A = B, i.e., whether they contain the same number of 
copies for each element in AU B. This problem was initiated by Blum and Kannan || 
to study how to check the correctness of sorting programs. They gave two randomized 
algorithms on a useful model of computation which reflects many sorting scenarios 
better than the usual RAM model. For brevity, we denote their model by MBK and 
the two algorithms by ABKi and ABK2. 

This section modifies the MBK model to cover a broader range of sorting appli- 
cations. It then gives a new randomized algorithm, which improves upon ABKi and 
ABK2 and can speed up the checking algorithm for sorting by Blum and Kannan || 
on a large range of inputs. 

4.1. Models of computation and previous results. In both the MBK model 
and the modified model, the computer has O(l) tapes as well as a random access 
memory of 0(logn + loga) words. The allowed elementary operations are +, — , x, /, 
<, =, and two bit operations shift-to-left and shift-to- right, where / is integer division. 
Each of these operations takes one step on integers that are one word long; thus the 
division of an integer of m± words by another of TO2 words takes 0[m\m-2) time. In 
addition, it takes one step to copy a word on tape to a word in the random access 
memory or vice versa. 

The only difference between the two models is that the modified model has a 
shorter word length relative to a and therefore is applicable to sorting applications 
with a larger range of keys. To be precise, in the MBK model, each word has 1+ [log a J 
bits, and thus can hold a nonnegative integer at most a. In the modified model, each 
word has £ = 1 + Llog niax{ [log n\ , [log a]} J bits, and thus can hold a nonnegative 
integer at most max{ [log rc] , [log a]}. 

Note that sorting A and B by comparison takes 0(n log n) time in the MBK 
model and 0(-^f^n log n) time in the modified model. However, in both models, if 
n > 2 a , the equality of A and B can be tested in optimal 0(n) time with bucket sort. 
Hence, we hereafter assume n < 2 a . We briefly review ABKi and ABK2 as follows. 

Let Qi(x) be the polynomial Y%=i x<li ~ Y^i=i xbi ■ ABKi selects a random prime 
w < 3a[log(n+l)] uniformly and computes Qi(n+1) modw in a straightforward man- 
ner. It outputs U A = B" if and only if Qi(n + 1) mod w is zero. Excluding the cost of 

computing w, ABKi takes O(nloga) time in the MBK model and O ^(i^^p-) 2 n loga^ 

time in the modified model. The error probability is at most |. 

Let Q2{x) be the polynomial n™ =1 (ir — c^) — n" =1 (x — bi). ABK2 uniformly se- 
lects a random positive integer z < An and a random prime w < 3n[log(a + 4n)] ; 
and computes P(z) inodw in a straightforward manner. It outputs 11 A = B" if 
and only if P(z) modw is zero. Excluding the cost of computing w, ABK 2 takes 
o(nmax{l,(^) 2 }) time in the MBK model and Q ( n a°gn+io S a)(g S n+io S iog ) ^ 

time in the modified model. The error probablity is at most |. 

Generating the random primes u> is a crucial step of ABKi and ABK2. It is 
unclear how this step can be performed efficiently in terms of running time and random 
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bits. We modify this step by means of Fact [l as follows. In ABK l5 \Qi(n + 1)| < 
2 i+alog(n+i)+logn. m ABK 2 , |Q 2 (2n)| < 2 1+ " °g( a + 4 ™). Thus, we can replace w in 
ABKi and ABK2 with two random positive integers w\ < (1 + alog(n + 1) + logn) 2 
and u>2 < (1 + nlog(a + 4n)) 2 , respectively. With these modifications, ABKi and 
ABK2 use at most 2 log a + 2 log log n + 0(1) and 31ogn + 21oglog(a + n) + 0(1) 
random bits, respectively. The time complexities and error probabilties remain as 
stated above. 

4.2. A new randomized algorithm. Our goal in this section is to design an 
algorithm for multiset equality test for the modified model that is faster than ABKi 
for n — cj((logloga) 2 ) and faster than ABK 2 for n = uj ((loga) losloga ). We can then 
use it to speed up the previously best checking algorithm for sorting || . 

• Let q = [log aj + 1 . 

• Let X\, . . ., x q be q distinct indeterminates. 

• For each u £ AuB, let f u denote the monomial (x\) Ul (a^)" 2 • ■ ■ ( x q) Uq , where 
U1U2 ■ ■ ■ u q is the standard g-bit binary representation of it. 

• Let Q(x\, . . . , x q ) denote the polynomial Y%=i f a i ~ S™=i fot ■ 

Note that Q(xi, . . . ,x q ) = if and only if A = B. To test whether A = B, we detail 
how to implement the steps of Algorithm [l] to test Q as follows. The algorithm is 
analyzed only with respect to the modified model. 



Remark. In the implementation, the parameter t of Theorem 2.3 needs to be a 
constant so that the algorithm can be performed inside the random access memory 
together with straightforward management of the tapes. At the end of this section, 
we set t — 4 but for the benefit of future research, we analyze the running time and 
the random bit count in terms of a general t. 

Step [l]. Compute q by finding the index of the most significant bit in the binary 
representation of a. Since a takes up 0(^p) words, this computation takes 0(q) time 
by shifting the most significant nonzero word to the left at most £ times. Afterwards, 
set d\ = di = ■ ■ ■ = d q = k\ = k% = ■ ■ ■ = k q = k = 1, K = d = q, c = n, and Z = In 
in 0(q) time. This step takes 0(q) time. 

Step 0. Compute the q smallest primes Pi,i,P2,i; ■ ■ ■ < 9 m2 1- We compute 
these primes by inspecting i = 2, 3, . . . one at a time up to qln 2 q until exactly q 
primes are found. Since i can fit into 0(1) words, it takes 0(yt r qlogq) time to check 
the primality of each i using the square root test for primes in a straightforward 
manner. Thus, this step takes 0(g 3//2 log 3 q) time. 

Step H This step is straightforward and uses q random bits and 0(|) time. 
Step H Set £ — + \q] + 1, where t is a given positive number and ij)' = 

2[logn] + [2li^l] +g[log[logg]l +1. The number [logn] can be computed from 
the input in O(n) time. The computations of [^p] an( ^ ri°S ri°S 1 are similar to 
Step and take O(logg) time. Thus, this step takes 0(n + \ogq+ -^M) time. 

Step|. As at Step| in §f^2, we use Newton's method to compute rn for each p h i . 



With only integer operations allowed, we use 2 f gj as the j-th estimate for 2 y/pij; 
i.e., 2 gj+i — (2 e gj + 2 2 ^Pi,i/(2^5j))/2. The last estimate computed in this manner 
is 1 s r i x . Since 2 e can be computed in 0((|) 2 ) time using a doubling process, the 

first estimate 2 e pi i i can be computed in the same amount of time. Since the other 
estimates all are 0(|) words long, the (j + l)-th estimate can be obtained from the 

j-th in 0((|) 2 ) time. Since only O(log^) iterations for each 2 l y/piJ are needed, this 

step takes 0(g(|) 2 log £) time. 
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Step H We compute A = Q((— l) 6l,1 rL,i, • ■ • , (^^) bq,lr q,i) by means of Fact [l] as 
follows. Let A = [logt] . Since |2 9<I A| is an integer at most 2* 1 +qe , we uniformly and in- 
dependently select A random positive integers w < (ip'+q£) 2 using 2A(logt+loglogro+ 
2 log log a + o(loglogo)) random bits and O(A^) time. Note that if 2 qi A ^ 0, then 
with probability at least 1 — some 2 q£ A mod w is nonzero. We next compute all 
2 9/ Amodw. For each element u € AuB, let e(u) be the number of 0's in the standard 
g-bit binary representation of u. Let h(u) — /«((— 1) 1 ' 1 2 i n i i, . . . , (— l) bq < 1 2 e r q .i). 
Then, 2<* e A = £™=i 2 e ^ e h( ai ) - £™ =1 2 e ( b ^/j(&. i ), which we use to compute all 
2 ql A mod w as follows. 

• Compute the numbers e(u) for all u G A U -B in 0{nq) time. 

• For all ui, compute all 2^1 modw in 0(Ag|^|^) time. 

• For all w, use values obtained above to compute /i(u)modw for all u in 
0(Anq(i^) 2 ) time. 

• For all w, compute 2 £ modu> in 0(\?-^§-) time. 

• For all w, use values obtained above to compute 2 e ^ e mod w for all u in 
0(An(i^) 2 logg) time. 

• For all u>, use values obtained above to compute 2 ?i Amodw in 0(\n{ 1 -^-) 2 ) 
time. 

This step uses 2 A (log i + log log n + 2 log log a + o(logloga)) random bits and takes 
0(Aq|^ + Anq(^) 2 ) time. 

Step [7| Output U A ^ _B" if and only if some 2 l, 'Amodw is nonzero. 
The next theorem summarizes the above discussion. 

Theorem 4.1. For any given t > 2, whether A = B can be determined in time 

o(,,o S ^) 2 + a„,(!^) 2 ), 

where q = 8(loga);£ = 8(£(logn + logalogloga));£ = 9(loglog(n + a)); A = 8(logi). 
The error probability is at most | using log a + 2 [log t] (log t + log log n + 2 log log a + 
o(logloga)) random bits. 

Proof. The running time of Algorithm [i] is d ominated by those of Steps |^ and ^. 
The error probability follows from Theore m |2.3| and Fact [j]. □ 

We use the next corollary of Theorem |4.l| to compare Algorithm [j] with ABKi 
and ABK2 in the modified model. 

Corollary 4.2. With t = 4, Algorithm |^ has an error probability at most \ 
using log a + 4 log log n + 8 log log a + o(log log a) random bits, while running in time 

( (log n + log a log log a) 2 \ 

O nloga + loga — - — - — ■ — r . 

V loglog(n + a) J 



By corollary 4.2, Algorithm [l] is faster than ABK^ for n = w((logloga) 2 ) and 
faster than ABK 2 for n = w ((loga) lo s lo s a ). Thus, it can replace ABK X and ABK 2 
to speed up the previously best checking algorithm for sorting j| as follows. We use 
bucket sort for 2 a < n; Algorithm |l| for (loga) logloga < n < 2 a ; and ABK 2 otherwise. 

Acknowledgments. We are very grateful to Steve Tate for useful discussions 
and to the anonymous referees for extremely thorough and helpful comments. 



REFERENCES 



10 



Z. Z. CHEN AND M. Y. KAO 



[1] M. Ajtai, J. KOMLOS, AND E. Szemeredi, Deterministic simulation in Logspace, in Proceed- 
ings of the 19th Annual ACM Symposium on Theory of Computing, 1987, pp. 132-140. 

[2] C. Berge, Graphs, North-Holland, New York, NY, second revised ed., 1985. 

[3] M. Blum and S. Kannan, Designing programs that check their work, Journal of the ACM, 42 
(1995), pp. 269-291. 

[4] S. Chari, P. Rohatgi, and A. Srinivasan, Randomness-optimal unique element isolation with 
applications to perfect matching and related problems, SIAM Journal on Computing, 24 
(1995), pp. 1036-1050. 

[5] A. Cohen and A. Wigderson, Dispersers, deterministic amplification, and weak random 
sources (extended abstract), in Proceedings of the 30th Annual IEEE Symposium on Foun- 
dations of Computer Science, 1989, pp. 14—19. 
[6] R. A. DeMillo and R. J. Lipton, A probabilistic remark on algebraic program testing, Infor- 
mation Processing Letters, 7 (1978), pp. 193-195. 
[7] Z. Galil, S. Micali, and H. Gabow, An 0(EV log V) algorithm for finding a maximal 
weighted matching in general graphs, SIAM Journal on Computing, 15 (1986), pp. 120-130. 
[8] R. Impagliazzo and D. ZuCKERMAN, How to recycle random bits, in Proceedings of the 30th 

Annual IEEE Symposium on Foundations of Computer Science, 1989, pp. 248-253. 
[9] N. JACOBSON, Basic Algebra, W. H. Freeman, San Francisco, 1974. 
[10] R. M. Karp, E. Upfal, and A. Wigderson, Constructing a perfect matching is in random 

NC, Combinatorica, 6 (1986), pp. 35-48. 
[11] W. J. LeVeque, Topics in Number Theory, vol. 1, Addison- Wesley, Reading, MA, 1956. 
[12] L. LOVASZ, On determinants, matchings and random algorithms, in Fundamentals of Comput- 
ing Theory, L. Budach, ed., Akadcmia-Verlag, Berlin, 1979. 
[13] S. MlCALl AND V. V. Vazirani, An 0(yJ~\V~\ ■ \E\) algorithm for finding maximum matching 
in general graphs, in Proceedings of the 21st Annual IEEE Symposium on Foundations of 
Computer Science, 1980, pp. 17-27. 
[14] P. MORANDI, Graduate Texts in Mathematics 167: Field and Galois theory, Springer- Verlag, 
New York, 1996. 

[15] R. MOTWANI AND P. Raghavan, Randomized Algorithms, Cambridge University Press, Cam- 
bridge, United Kingdom, 1995. 

[16] V. Pan, Complexity of parallel matrix computations, Theoretical Computer Science, 54 (1987), 
pp. 65-85. 

[17] J. H. Rowland and J. R. Cowles, Small sample algorithms for the identification of polyno- 
mials, Journal of the ACM, 33 (1986), pp. 822-829. 

[18] J. T. Schwartz, Fast probabilistic algorithms for verification of polynomial identities, Journal 
of the ACM, 27 (1980), pp. 701-717. 

[19] W. Thrash, A note on the least common multiples of dense sets of integers, Tech. Rep. 93- 
02-04, Department of Computer Science, University of Washington, Seattle, Washington, 
Feb. 1993. 

[20] W. T. Tutte, The factors of graphs, Canadian Journal of Mathematics, 4 (1952), pp. 314-328. 

[21] V. V. Vazirani, Maximum Matchings without Blossoms, PhD thesis, University of California, 
Berkeley, California, 1984. 

[22] R. E. Zippel, Probabilistic algorithms for sparse polynomials, in Lecture Notes in Computer 
Science 72: Proceedings of EUROSAM '79, an International Symposium on Symbolic and 
Algebraic Manipulation, E. W. Ng, ed., Springer- Verlag, New York, NY, 1979, pp. 216-226. 



